Contents

NTLM authentication

SAVE AS PDF

NTLM authentication

NTLM is the most complex of the authentication protocols supported by a basic web
server.

NTLM
is the most complex of the authentication protocols supported by a basic web server such as
HttpClient. It is a proprietary protocol designed by Microsoft with no publicly available
specification. Early versions of NTLM were less secure than Digest authentication due to
faults in the design. However, these were fixed in a service pack for Windows NT 4 and the
protocol is now considered more secure than Digest authentication.

NTLM authentication requires that an instance of NTCredentials be available for the domain
name of the server or the default credentials. Since NTLM does not use the notion of realms,
HttpClient uses the domain name of the server as the name of the realm. Also, the username
provided to the NTCredentials should not be prefixed with the domain:

Correct: adrian

Incorrect: DOMAIN\adrian

There are some significant differences in the way NTLM works compared with basic and digest
authentication. These differences are generally handled by HttpClient. However, having an
understanding of these differences can help you avoid problems when using NTLM
authentication.

NTLM authentication works almost exactly the same as any other form of authentication
in terms of the HttpClient API. The only difference is that you need to supply
NTCredentials instead of UsernamePasswordCredentials (NTCredentials actually extends
UsernamePasswordCredentials so you can use NTCredentials right throughout your
application, if needed).

The realm for NTLM authentication is the domain name of the computer being connected.
This can be troublesome because servers often have multiple domain names. Only the
domain name that HttpClient connects to, as specified by the HostConfiguration, is used
to look up the credentials. While initially testing NTLM authentication, it is best to
pass the realm in as null, which is used as the default.

NTLM authenticates a connection and not a request. So you need to authenticate every
time a new connection is made and keeping the connection open during authentication is
vital. For this reason, NTLM cannot be used to authenticate with both a proxy server and
the web server, nor can NTLM be used with HTTP 1.0 connections or web servers that do
not support HTTP keep-alives.

Note: Set these properties from the System Properties
[sys_properties] table.

Table 1. NTLM authentication

Property

Description

Examples

glide.http.proxy_ntusername

Specify the username used to authenticate the proxy server with NTLM authentication.

Type: string

Default value: none

username

glide.http.proxy_ntpassword

Specify the password used to authenticate the proxy server with NTLM authentication.

Type: string

Default value: none

password

glide.http.proxy_nthost

Specify the hostname used to authenticate the proxy server with NTLM authentication.

Type: string

Default value: none

nthost

glide.http.proxy_ntdomain

Specify the domain used to authenticate the proxy server with NTLM authentication.